July 27, 2016

Secure C 102 - Heaps and Format Strings

We continue last time's lecture by discussing dynamic memory management (aka Heap) based vulnerabilities, formatted-output/format-string vulnerabilities, and race conditions. For heap vulnerabilities we being with Doug Lea's memory allocator (dlmalloc) and walking through how heap chunk allocation and freeing work with the dlmalloc unlink macro. We then cover how this has been classically exploited in heap buffer overflows. Use-after-free (UAF) vulnerabilities, double free vulnerabilities, and C++ vtables are also discussed in the heap section. The formatted output security section explores common vulnerabilities arising from use of unsafe format string functions and misuse of safe format string functions. Exploitation of format string vulnerabilities is discussed for both gaining code execution and information leakage or disclosure. Finally race condition vulnerabilities are discussed at a high level, and race condition hunting strategies are discussed. Slides for this lecture begin on slide number 89.